Abstract

In this complex computer age where information is
accumulated and exchanged at a rate beyond our ability to closely monitor,
an attack has been formulated to shave off small pieces of these
transactions. The "salami attack" executes barely noticeable small acts,
such as shaving a penny from thousands of accounts or acquiring bits of
information from less secure means to gain knowledge of the whole
undetected. Salami attacks go mostly undetected or unreported and few have
been completely substantiated.

Salami Definition

The origin of the terminology has a double meaning and
both definitions accurately describe the methodology of a salami attack.
The idea of 'salami slicing' where a small piece is cut off the end with no
noticeable difference in the overall length of the original is one way of
looking at it. [5] Another definition states is the creation of a larger
entity comprised of many smaller scraps similar to the contents of salami.
[6] Either way, salami attacks are looked at as when negligible amounts are
removed and accumulated into something larger.

Architects of Salami Strikes

In order to determine the perpetrator of such an
attack, one has to look at the motivational factors involved in salami
attacks. Salami strikes often involve some form of financial gain but they
can also be used for information gathering purposes. Often insiders,
consultants, or anyone else with knowledge of the system and looking to
steal money perpetrate these attacks. However, government agencies, spies,
or anyone else looking to covertly gain information can also utilize salami
attacks [7].

Instances of Attacks

The more recognized form of a salami attack is taking
the rounded off decimal fractions of bank transactions and transferring them
into another account (Many will remember this a being a key plot point in
such movies as Superman III and Office Space.). Banks often use decimal
places beyond the penny when calculating amounts in terms of interest. If a
customer earning interest every month has accumulated $50.125 in interest,
the fraction of the penny is rounded according to the bank's system [3].
Such an attack was reportedly perpetrated at a Canadian bank where an
insider siphoned $70,000 from other customer accounts into his own. "A bank
branch decided to honor the customer who had the most active account. It
turned out to be an employee who had accumulated $70,000 funneling a few
cents out of every account into his own." [Green] [1]. Taking such a small
fraction may seem insignificant or even invisible to the victims, but when
done across millions of transactions, the accumulation can be immense for
the attacker.

Other versions of this kind of attack involve economic
gain through less precarious channels. Employees modifying computer-billing
programs so that the customer is slightly overcharged on certain
transactions fall into this category. One such case involved a rental
agency that "modified a computer billing program to add five extra gallons
to the actual gas tank capacity of their vehicles" [2]. Customers unaware
of the tank capacities would be overcharged with very little suspicion being
raised. This clever technique shows that the slicing need not be directly
monetary. Exploiting customer unawareness on matters such as gasoline tank
size can often go unnoticed. Another example of this happened when a gas
station installed modified chips to misread how much gas was being pumped.
Customers began noticing that their vehicles were supposedly taking more gas
than the tank could hold. Systems to keep this in check failed to notice
the attack right away because "the perpetrators programmed the chips to
deliver exactly the right amount of gasoline when asked for five- and
10-gallon amounts - precisely the amounts typically used by inspectors."
[2]. Salami attacks are hard to track down and examples like this show the
importance of tracking even the slightest error because it could be an sign
of a bigger problem.

In addition to financial gains through salami attacks,
information is another asset that be accumulated in unnoticeable quantities.
Acquiring small quantities of information from multiple sources or channels
and piecing them together can yield a clear picture of the target. "The
intelligence gathering process consists of piecing together fragments of
information to predict the future. It is not tantamount to looking for a
needle in a haystack, but for the right three or four pieces of hay in a
haystack that will add up to a prediction of a terrorist attack." [Lake]
[4]. In this example, information about an attack can be gleamed from
piecing together bits of phone conversations, emails, knowledge of where the
person traveled, or where they shopped can be used to discover the overall
picture of the organization.

Conclusion

If there is one important lesson to learn from salami
attacks, it is that even the minutest amount of information can be vitally
important. Salami attacks are meant to go undetected and spread the burden
of harm across a large number of transactions. Salami attacks stress the
need for constant monitoring of a system and show that even minor
discrepancies could be the breadcrumbs of a larger attack. Their difficulty
to detect and the perpetrators often being close to the target make it one
of the more elusive information attack methods.